Like most security professionals I am spending a large amount of time helping my company move securely to AWS.
Certificate management in AWS is done with AWS Certificate Manager and while they do offer *free* certificates, ACM generated certs are outside your direct control. You don’t get the keys which, at least for some things, should probably be a non-starter (granted, for plenty of other things it’s likely ¯\_(ツ)_/¯).
I also really like digicert and have been using them for TLS certificates for over 10 years but I could not find any automation already built for Digicert to AWS ACM so I spent some time this week and hacked a script together to do it.
Here is a link to the script (also embedded at the bottom of the post). On the host running the script you will need AWS CLI configured and a Digicert API Key. You also need to configure the first 15 lines of the script with your information.
To Run The Script:
./awasacm.sh your.fdqn.com
Script Output:
Here is what the script looks like running:
Here is the cert uploaded to ACM:
The script also saves all of the commands, keys and certs on the host running the script for auditing and backup:
Full Script:
https://gist.github.com/jgamblin/f8bd03d3743ba4f08f710d5e11c177c7
Closing:
I will be making improvements to this script as we implement it in production and will likely move it to a full GitHub repo soon. If you have any questions please reach out to me on twitter at @JGamblin.
Update: I have built a full Github repo here.
